github jokob-sk/NetAlertX v25.11.29
v25.11.29 - πŸ›‘ Enhanced security, PIHOLEAPI and changes in data folders
on GitHub

5 hours ago

Hi everyone πŸ‘‹ !

This release significantly improves the security of the application by running on a read-only filesystem. Because of this major internal change, manual migration steps are required. The user data Docker volume paths have moved from /app to /data, and a tmpfs mount is now required for all writable directories. Find a sample docker-compose.yml template below and read the Migration docs for details on how the permissions changed. Also ensure you re-save the settings after the migration (See details below on why).

A big thanks to @adamoutler who rewrote the installation scripts and created a comprehensive pre-initialization check, enhancing the code-base with linting checks, created a devcontainer to speed-up development and various other additions.

This version also adds a PIHOLEAPI plugin that leverages the new v6 API for device retrieval from your PiHole instance. Thank you to @leiweibau for the bulk of the code from his PiAlert project.

Thanks also to @JVKeller for help with the bare-metal install.

As always, thank you to all translators: @GitSpoon , @maksim2005UKR , @mapi68 , "R" , @Atalanttore , "anton garcias", @YoSafeguard , @AlmaziikDev , "jeet moh", @Blueberryy , @p-bo , @bo3bdo , "Carlos M. Silva"

Minimum required docker-compose.yml template: 

services:
  netalertx:
    container_name: netalertx
    image: "ghcr.io/jokob-sk/netalertx"  # πŸ†• This has changed
    network_mode: "host"
    cap_drop:                # πŸ†• New line
      - ALL                  # πŸ†• New line
    cap_add:                 # πŸ†• New line
      - NET_RAW              # πŸ†• New line
      - NET_ADMIN            # πŸ†• New line
      - NET_BIND_SERVICE     # πŸ†• New line
    restart: unless-stopped
    volumes:
      - /local_data_dir:/data  # πŸ†• This folder contains your /db and /config directories and the parent changed from /app to /data
      # Ensuring the timezone is the same as on the server - make sure also the TIMEZONE setting is configured
      - /etc/localtime:/etc/localtime:ro    # πŸ†• New line
    environment:
      - PORT=20211
    # πŸ†• New "tmpfs" section START πŸ”½
    tmpfs:
      # All writable runtime state resides under /tmp; comment out to persist logs between restarts
      - "/tmp:uid=20211,gid=20211,mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime"
    # πŸ†• New "tmpfs" section END  πŸ”Ό

See the Migration docs for details as the folders and files need to be owned by a 20211 user and group.

img

❗ Known issues:

  • See open issues.

πŸ“ƒ Changelog

πŸ’” Breaking changes

Sometimes I have to introduce breaking changes

  • ⏰ Reminder: Due to code refactoring in order to upgrade to this version from a version before v25.5.24, you have to upgrade to v25.5.24 before upgrading to this version). See the upgrades docs for details.
  • πŸ’” Due to language string cleanup you will have to select your UI_LANG again and re-save your settings.
  • πŸ’” Due to the format of the SMTP_PASS setting changes you will have to re-save your settings.
  • πŸ’” The TZ=Europe/Berlin docker variable was replaced by a more common approach mapping - v /etc/localtime:/etc/localtime:ro
  • πŸ’” Due to security hardening the docker container volume locations changed, from /app to /data and a new tmpfs mount for all writable directories was added. See Migration docs for details.

Warning

  • ⚠️UPCOMING: The port of the sync nodes for the SYNC plugin will change to the value of the GRAPHQL_PORT setting. Both ports are currently supported, so please update your configuration to point to the new port in the SYNC_hub_url and SYNC_nodes settings.
  • ⚠️UPCOMING: If you have implemented external applications using the OLD API endpoints, please migrate to the NEW API endpoints.

πŸ†•New capabilities

  • ARPSCAN_DURATION setting to run ARPSCAN for a longer time to try to discover IoT or similar devices #1172
  • Device name in page titles #1162
  • UI_DEFAULT_PAGE_SIZE setting to change the default page size #1181
  • NEWDEV_IP_MATCH_NAME setting to disable name discovery and matching based on IP if you don't have static IPs on your network
  • PIHOLEAPI plugin to connect to your PiHole instance via API #1282
  • Notifications now contain a link to the server in the footer as per the REPORT_DASHBOARD_URL setting #1267

✨Fixes and Improvements

  • events notifications enabled on the Internet root node and using the SYNC plugin led to IP flipping #1207
  • app.log line break fix
  • LOG_LEVEL not respected #1217
  • Compound notification filters didn't work #1210
  • The Device tile for All devices didn't work properly #1238
  • SNMPDSC didn't respect timeout settings #1231
  • Multi-edit preventing error if no devices selected #1219
  • SMTP_PASS didn't allow for ' quotes in passwords #1253
  • Devices with number-only names caused Network topology page error #1281
  • You can now use the --vlan parameter if you have both NMAPDEV and ARPSCAN enabled #1264
  • Performance optimizations of name lookups #1251
  • Better invalid data handling of the UNIFIAPI plugin #1224
  • More robust args handling in the NMAP plugin #1288
  • Better SCHEDULE cron value validation #1306

πŸ” Current priorities

  • High priority: Settings, Workflows and Plugins core improvements
  • Low priority: UI (PRs welcome, but follow guidelines)

🐞 Known issues

If you have any debug info/suggestions regarding the above, please open a separate issue, thanks! 🀍

What's Changed

New Contributors

Full Changelog: v25.10.1...v25.11.29

Check out latest releases or
releases around jokob-sk/NetAlertX v25.11.29

Don't miss a new NetAlertX release

NewReleases is sending notifications on new releases.

Get notifications